CAMBRIDGE, England — (BUSINESS WIRE) — July 20, 2016 —
Billions of connected devices are potentially at risk unless security
sensitive software can be managed to an e-commerce standard, according
to a group of leading technology security experts.

The companies, including
ARM,
Intercede,
Solacia
and
Symantec
worked together to assess the security challenges of connecting billions
of devices across multiple sectors; including industrial, home, health
services and transportation. Their conclusion was that any system could
be compromised unless a system-level root of trust was established.

To deal with the risk, the companies collaborated on the Open Trust
Protocol (OTrP) to combine a secure architecture with trusted code
management, using technologies proven in large scale banking and
sensitive data applications on mass-market devices such as smartphones
and tablets.

“In an internet-connected world, it is imperative to establish trust
between all devices and service providers,” said Marc Canel, vice
president of security systems, ARM. “Operators need to trust devices
their systems interact with and OTrP achieves this in a simple way. It
brings e-commerce trust architectures together with a high-level
protocol that can be easily integrated with any existing platform.”

Symantec
estimates that one million internet attacks were carried out every day
during 2015. The Internet of Things (IoT) expands the attack surface and
according to
Gartner,
the analyst firm, security is now the number one priority when building
any connected product.

OTrP in more detail

OTrP is a high level management protocol that works with security
solutions such as ARM® TrustZone®-based Trusted
Execution Environments that are designed to protect mobile computing
devices from malicious attack. The protocol is available for download
from the
IETF
website today for prototyping and testing.

The protocol paves the way for an open interoperable standard to enable
the management of trusted software without the need for a centralized
database by reusing the established security architecture of e-commerce.
The management protocol is used with Public Key Infrastructure (PKI) and
Certificate Authority-based trust architectures, enabling service
providers, app developers and OEMs to use their own keys to authenticate
and manage trusted software and assets. OTrP is a high level and simple
protocol that can be easily added to existing Trusted Execution
Environments or to microcontroller-based platforms capable of RSA
cryptography.

OTrP is available as an IETF informational and it is planned that it
will be further developed by a standards defining organization that can
encourage its mass adoption as an interoperable standard.

Partner quotes

“The chain of trust for connected services must be based on strong
digital identities for people and devices to ensure the integrity of
data and applications in an open and interoperable way,” said Lubna
Dajani, OTPA Secretary and Futurist. “The release of OTrP is a
significant step forward and it will enable the industry to operate more
efficiently by collaborating on the basics and only competing where
individual value can be added.”

“Posting OTrP as an IETF informational for public review is an important
step in providing universal digital trust from silicon to services for
mobile and IoT connected devices, said Richard Parris, CEO of digital
trust specialists, Intercede. “It provides network operators and app
developers the control they need over their selection of hardware
security module and cryptographic key provider for reasons of
interoperability, policy and cost while maintaining a common management
platform across mixed fleets of devices.”

“Enabling the creation of an OTrP ecosystem for Trusted Applications is
crucial in ensuring commercial flexibility across markets, said SangJin
Park, CEO of Solacia. “We are committed to the adoption of open
standards across the security industry and the provision of SecuriTEE
will help to achieve this by deploying ARM TrustZone technology widely
to ensure universal adoption of secure mobility.”

“As a wireless operator, providing a communication and data ecosystem
that is safe and secure is a paramount mission,” said Dr. Ron Marquardt,
Vice President of Technology at Sprint. “As the global ecosystem of
connected devices and mobile applications continues to grow, security
will become more challenging. OTrP offers a strong prescription for this
increasing challenge with its flexibility to provision and maintain
system-level root of trust within the service ecosystem.”

“With new technologies come increased security risks,” said Brian
Witten, Senior Director, Internet of Things (IoT) Security, Symantec.
“The Internet of Things and smart mobile technologies are moving into a
range of diverse applications and it is important to create an open
protocol to ease and accelerate adoption of hardware-backed security
that is designed to protect on board encryption-keys.”